> [X] Alpha - go ahead and release as 10.1.0-M14 (alpha) Ray
On Thu, Mar 31, 2022 at 11:13 AM <jonmcalexan...@wellsfargo.com.invalid> wrote: > Thank you Mark. I know it's not a Tomcat vulnerability, but if the > Hardening mitigates the other, then that had me wondering was all. > > Thanks for the position clarification. > > Dream * Excel * Explore * Inspire > Jon McAlexander > Infrastructure Engineer > Asst Vice President > He/His > > Middleware Product Engineering > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > This message may contain confidential and/or privileged information. If > you are not the addressee or authorized to receive this for the addressee, > you must not use, copy, disclose, or take any action based on this message > or any information herein. If you have received this message in error, > please advise the sender immediately by reply e-mail and delete this > message. Thank you for your cooperation. > > > > -----Original Message----- > > From: Mark Thomas <ma...@apache.org> > > Sent: Thursday, March 31, 2022 10:08 AM > > To: dev@tomcat.apache.org > > Subject: Re: [VOTE] Release Apache Tomcat 10.1.0-M14 > > > > On 31/03/2022 15:56, jonmcalexan...@wellsfargo.com.INVALID wrote: > > > Noting the Hardening of the class loader, is this going to require > this to be a > > security release of the newest Tomcat releases (forthcoming), or will > they > > still just be standard releases? > > > > That change does not address a security vulnerability in Apache Tomcat. > > > > There will be no CVE for this change. > > > > We generally use hardening to refer to things that do not address a > > vulnerability but improve the overall security posture. Typically, these > > changes provide additional defense in depth. > > > > In this instance, it mitigates CVE-2022-22965 which is a Spring Framework > > vulnerability. The main purpose of the release is to provide end users > with an > > alternative option if updating Tomcat is simpler than updating the > version of > > Spring they are using. > > > > To provide some context, similar recent hardening changes include: > > > > - Using a constant time algorithm to compare passwords. Analysis showed > > that a timing attack wasn't feasible but we switched now in case it > > became feasible as some point in the future > > > > - We changed the BeanFactory in 10.1.x (and might back-port the change) > > to prevent it from being used if an application has a JNDI injection > > vulnerability > > > > Finally, we will either keep completely silent about security > vulnerabilities > > until they are published or we will be completely open about them up > front > > (e.g. if there is a zero day). > > > > HTH, > > > > Mark > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional > > commands, e-mail: dev-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > -- *Raymond Augé* (@rotty3000) Senior Software Architect *Liferay, Inc.* (@Liferay) OSGi Fellow, Java Champion
